Compact Encodings - Public-Key Cryptography: Theory and Practice

Table 6.4: Right-to-left exponentiation with sliding windows or unsigned fractional windows,

`= 1023

w= 2 w= 3 w= 4

slid. w. u. fract. slid. w. u. fract. u. fract. u. fract. slid. w. m= 1 m= 1 m= 3 m= 5 right-to-left stage: squarings ≤1023 ≤1023 ≤1023 ≤1023 ≤1023 ≤1023 ≤1023 multiplications _≈340.0 _≈290.3 _≈252.8 _≈236.7 _≈222.3 _≈209.4 _≈197.6 result stage: input variables 2 3 4 5 6 7 8 squarings 1 2 3 4 5 6 7 multiplications 2 4 6 8 10 12 14

for each additional accumulator, usually in the right-to-left stage, the expected number of right-to-left stage multiplications for (`+ 1)-bit scalars is approximately

` w+m₂+1w + 1

+ 1−2w−1−m−1 2 for the unsigned fractional window method, and

w+ 1+ 1−2 w−1

for the sliding window method.)

6.4 Compact Encodings

When storing a window NAF or fractional window representation where a single digit may take w+ 1 bits of memory (as it is the case for width-(w+ 1) NAFs if we take into account that the digit may be zero, and for signed fractional window representations), then it is not necessary to store digits separately in w+ 1 bits each. If memory is scarce, it is possible to exploit the properties of the representation to obtain a more compact encoding into bit strings (cf. [45], where this technique is introduced for width-2 NAFs).

We can encode a zero digit as a single zero bit, and a non-zero digit as a one bit followed by a representation of the respective digit, which together takesw+ 1 bits in the case of window NAFs and w+ 2 bits in the case of signed fractional window representations. After each non-zero digit, there will bewzero digits (unless conversion into a modified window NAF has taken place), and these can be omitted from the encoding. Thus, compared with the usual binary representation of the number, in the case of window NAFs we only have growth by a small constant; in the case of signed fractional window representations (and similarly in the case of unsigned fractional window representations), we also have growth by an additional bit for each non-zero digit of the representation.

This bit string encoding can easily be adapted to the case that the bit string will be read in the reverse of the direction in which it was written (for example, non-zero digits should be encoded as a representation of the respective digit followed by a one bit rather than the other way around).

Chapter 7

Efficient Multi-Exponentiation

In this chapter, we compare different approaches for computing power products

1≤i≤k

gei i

in commutative semigroups with neutral element where eachei is a uniformly chosen random integer in an interval [0,2Li ₋_{1]. Let} _L _{be the bit-length of the longest of the} _e

i (i.e., ei ∈ [0,2L− 1] for all i, and there is an i such that ei ≥ 2L−1). It is well known that the trivial approach to perform multi-exponentiation by computing the powersgei

i separately and then multiplying them is, in general, unnecessarily inefficient compared with specific methods for multi-exponentiation. To illustrate how these methods work, the following alternative notation for this power product will be employed (compare with the notation for matrix products): g1, . . ., gk•    e1 .. . ek   

Repeated single exponentiations with precomputation for a fixed base will also be considered in this chapter because multi-exponentiation techniques can be used for this task.

Like left-to-right methods for single exponentiations (see section 6.1.1), the multi-exponentiation methods that we will look at work in two stages: first, in the precomputation stage, an auxiliary table of semigroup elements is computed from the elements gi; then, in theevaluation stage (orleft-to-right stage), the final result is computed using these auxiliary values.

An often-used approach for multi-exponentiation combines all input elements gi with each other in the precomputation stage ([35], [83], [91]); then the evaluation stage looks at all exponents simultaneously. We refer to these multi-exponentiation methods assimultaneous exponentiation. Section 7.1 describes two variants of simultaneous exponentiation: Straus’s simultaneous 2w-ary method [83] and the simultaneous sliding window method of Yen, Laih, and Lenstra [91]. (The method described in [35], which is known as “Shamir’s trick”, appears as a special case of both of these.) For these methods, we assume thatLi is the same for alli. Section 7.2 presents an alternative approach, interleaved exponentiation, which treats the gi separately in the precomputation stage and where the evaluation stage uses an in- terleaving of the generators and exponents for the various i rather than handling multiple

isimultaneously. This approach can be used with the various encoding techniques that we

have examined in chapter 6. Specifically, the basic interleaved exponentiation method is the combination of interleaved exponentiation with the left-to-right sliding window technique, and the window-NAF based interleaved exponentiation method is the combination of interleaved exponentiation with the window NAF technique. The former method can be used for arbitrary commutative semigroups with neutral element, the latter method is applicable for groups where inverting elements is easy.

In section 7.3, we compare the efficiency of simultaneous exponentiation methods and interleaved exponentiation methods. Our comparison shows that in general semigroups, sometimes simultaneous exponentiation and sometimes interleaved exponentiation is more efficient. In groups where inverting elements is easy (e.g. elliptic curves), window-NAF based interleaved exponentiation usually wins over simultaneous exponentiation.

Section 7.4 discusses variants that can be advantageous when the bases gi are fixed for many multi-exponentiations. In such cases, precomputation need not be repeated, so it can pay out to invest more work in precomputation to obtain speed-ups. Note that single exponentiation is a special case of multi-exponentiation (k= 1), and that these variants can be very useful for this case. One of the techniques presented there is window NAF splitting, which can be used for efficient exponentiation or multi-exponentiation with precomputation in groups where inversion is easy; it provides a convenient alternative to the patented Lim-Lee method.

7.1 Simultaneous Exponentiation

We look at two multi-exponentiation methods using simultaneous exponentiation (as opposed to interleaved exponentiation, which will be introduced in section 7.2): Straus’s 2w-ary method (section 7.1.1) and the sliding window method of Yen, Laih, and Lenstra (section 7.1.2).

As noted in the introduction to this chapter, all algorithms that we consider are related and work in two stages: first, theprecomputation stage prepares an auxiliary table of semigroup elements; then, the evaluation stage (left-to-right stage) computes the final result using this table. For comparing different methods, we examine the two stages separately.

Parameter w is always a positive integer, thewindow size; larger window sizes make the precomputation stage less efficient, but speed up the evaluation stage. It is not possible to give a general rule for selecting an optimalw (cf. section 7.3).

Relevant features of the precomputation stage are the number of squarings and general multiplications required for computing the auxiliary table, and the number of table entries. The precomputed tables will always contain the values g1, . . ., gk, all of which are trivially available. It will be visible that computing each additional table entry requires one multiplication or, for some of the table entries in the simultaneous 2w-ary method, one squaring. In addition to this,ksquarings are needed by the simultaneous sliding window method ifw >1. The evaluation stage requires both squarings and multiplications. For each multi-exponentiation method, we look at the number of squarings and the expected number of general multiplications for givenk,L, andw. In this section, we assume that the maximum bit-length

Li is the same for all i.

The window sizewis assumed to be small in comparison with the maximum bit-lengthL

(otherwise the precomputation stage would become unreasonably expensive).

It should be noted that a slight optimization for the precomputation stage is possible in all methods by first looking which table entries are actually needed (either during the evaluation

7.1 Simultaneous Exponentiation 73

stage, or because other precomputed table entries that are needed in the evaluation stage depend on them) and limiting precomputation to these. As this optimization will usually only have a small effect in practice, we neglect it in our comparisons.

For the number of squarings in the evaluation stage, we assume that the following optimization is used: as initially variable A is 1G (the neutral element of G) in all algorithms, squarings can easily be avoided until a different value has been assigned toA.

Formulas for the expected number of multiplications during the evaluation stage given in the following are actually asymptotics for large L/w rather than precise values (we do not take into account the special probability distributions encountered at both ends of the exponents). As in practicew will be much smaller thanL, the error can be neglected for our purposes.

Just as squarings can be eliminated in the evaluation stage whileAis 1G, the first multiplication ofAby a table entry can be replaced by an assignment. This minor optimization is not used in our figures below; note that it applies similarly to all algorithms discussed in this chapter (and does not affect asymptotics), so comparisons between different methods remain just as valid.

7.1.1 Simultaneous 2w_{-Ary Exponentiation Method}

Straus’s simultaneous 2w_{-ary exponentiation method [83] (see also [53]) looks at} _w _{bits of} each of the exponents for each evaluation stage semigroup multiplication, i.e.kwbits in total. The special case where w= 1 is also known as “Shamir’s trick” since it was described in [35] with a reference to Shamir (but note that [83] is a much earlier publication).

Precomputation Stage

Precompute Q 1≤i≤kg

i for all non-zerok-tuples (E1, . . ., Ek)∈ {0, . . .,2w−1}k.

Number of table entries: 2kw−1. Of these, k are trivially available; 2k(w−1)−1 can be computed by squaring other table entries (all theEiare even); the remaining 2kw−2k(w−1)−k entries require one general multiplication each.

Evaluation Stage

For the following algorithm, remember that for a non-negative integere,e[j0. . . j] denotes the integer consisting of the concatenation of bitsj0 down toj ofe.

A←1G

forj=b(L−1)/wc ·w down to 0 stepw do for n= 1 to wdo A←A2 if e1[j+w−1. . . j], . . ., ek[j+w−1. . . j]6= (0, . . .,0)then A←A·Q ig ei[j+w−1... j]

i {multiply Aby table entry}

return A

Number of squarings: jL_w−1k·w.

Expected number of multiplications: L·1−

1 2kw

Example

The simultaneous 2w-ary exponentiation method can be illustrated as follows in a small toy example for the casek= 3 withe1 = 10110102,e2 = 110012,e3= 10010112 and window size

w= 2: g1, . . ., gk•    0 0 0 1 0 1 0 0 0 1 1 0 1 1 1 0 0 0 1 0 1 0 1 1 2 2 2   

Each box corresponds to one evaluation stage multiplication.

7.1.2 Simultaneous Sliding Window Exponentiation Method

The simultaneous sliding window exponentiation method of Yen, Laih, and A. Lenstra [91] is an improved variant of the 2w-ary method described in section 7.1.1. Due to the use of a sliding window, table entries are required only for those tuples (E1, . . . , Ek) where at least one of theEi is odd. (Note that while values g2i no longer appear in the precomputed table, the precomputation stage now needs them as intermediate values unless w = 1.) Also the expected number of multiplications required in the evaluation stage is reduced. Like the 2w- ary method, this method looks atw bits of each of the exponents for each evaluation stage semigroup multiplication (kw bits in total). For w = 1, this again is “Shamir’s trick”. For

k= 1, this is the usual sliding window method for a single exponentiation (see section 6.2).

Precomputation Stage

PrecomputeQ 1≤i≤kg

i for allk-tuples (E1, . . ., Ek) ∈ {0, . . .,2w−1}k where at least one of theEi is odd.

Number of table entries: 2kw−2k(w−1).

Number of squarings: k ifw >1; none otherwise.

Number of general multiplications: 2kw−2k(w−1)−k.

Evaluation Stage A←1G j←L−1 whilej ≥0do if ∀i∈ {1, . . ., k}:ei[j] = 0then A←A2;j←j−1 else jnew ←max(j−w,−1) J ←jnew+ 1 while∀i∈ {1, . . ., k}:ei[J] = 0do J ←J+ 1 {nowj≥J > jnew} fori= 1 to kdo Ei ←ei[j . . . J] whilej≥J do A←A2;j←j−1 A←A·Q

In document Public-Key Cryptography: Theory and Practice - Free Computer, Programming, Mathematics, Technical Books, Lecture Notes and Tutorials (Page 69-75)